XSS Vulnerability on closeText option of Dialog jQuery UI

[1001binary]

I couldn't submit the bug to the website http://bugs.jqueryui.com/newticket.

VULNERABILITY DETAILS

A potential bug enables us to inject the XSS content into closeText option using component ui dialog. As original of jQuery UI(https://api.jqueryui.com/dialog/#option-closeText), we shall not accept any HTML string inside it.

VERSION

Any site using the latest version jQuery UI 1.11.4 .

REPRODUCTION CASE

• Create a new HTML page.
• Inject this content into new page.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>XSS in closeText option of component ui dialog</title>

    <script src="https://code.jquery.com/jquery-2.1.4.js"></script>
    <script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>
    <link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/
jquery-ui.css">
    <script>
        $(document).ready(function () {
            $('#dialog').dialog({ closeText: '<script>alert("XSS")<\/script>' });
        });
    </script>
</head>
<body>
    <div id="dialog" title="Dialog Title">Content here!</div>
</body>
</html>

• A alert popup was shown.
• Completed.

IN CONCLUSION

We expect that the html string isn't allowed in the closeText option as well as the popup alert not shown. If it displays, any attacker can take advantage of injecting the malicious XSS content into website.

Please see details at here http://jsfiddle.net/0wjdtcc6/

[chrisdclarke]

just a quick question,... forgive my ignorance,, why is it necessary to have a \ before the /script>....

Has this issue been fixed in a later release?

[anivja]

Hi, Even after upgrading to latest 1.12.0, I am able to replicate this issue. I used class 'ui-dialog' instead of id as dialog.